OAuth 2.0 identity providers#
Starburst Enterprise platform (SEP) includes support for OAuth 2.0 authentication. The following sections provide information about configuring and using the supported identity providers.
All OAuth 2.0 implementations require oauth2
to be included in the values
set for the http-server.authentication.type
configuration property in the config.properties
file on the
coordinator in addition to other configuration properties described in this
document.
OpenID Connect metadata#
OpenID Connect servers publish their metadata at a well-known URL, typically
https://authorization-server.com/.well-known/openid-configuration
. The
data returned by this endpoint is used to configure OAuth 2.0 authentication.
Warning
If the authorization server is issuing JSON Web Tokens (JWTs) and the
metadata document contains userinfo_endpoint
, SEP uses this endpoint to
check the validity of OAuth2 access tokens. Since JWTs can be inspected
locally, using them against userinfo_endpoint
may result in authentication
failure. In this case, set the
http-server.authentication.oauth2.oidc.use-userinfo-endpoint
configuration
property to false
(http-server.authentication.oauth2.oidc.use-userinfo-endpoint=false
). This
instructs SEP to ignore userinfo_endpoint
and inspect tokens locally.
For more information on OpenID, refer to OpenID Connect.
Supported identity providers#
The following sections detail the necessary configuration steps in each of the
supported identity provider’s user interface and in the config.properties
file on the SEP coordinator. The following identity providers are supported:
Okta#
This section provides specific information for setting up OAuth 2.0 for SEP in Okta. There are two tasks to complete:
Create an Okta app
Configure the client
The following sections describe the steps to complete these tasks.
Create an Okta app#
If you are using an existing app integration you can skip this step, referring to it only as a guideline on where to obtain the required information.
Create a Starburst Enterprise web UI app integration#
Use the following steps to configure an app integration for the Starburst Enterprise web UI:
In the Okta Admin Console, create an Okta app integration.
In the Create a new app integration pane, for Sign-in method, select OIDC - OpenID Connect. For Application type, select Native Application. Click Next.
In the New Native App Integration pane, in the General Settings > App integration name field, provide a name for this app integration. You can optionally upload a logo or image file to represent the app in the Okta dashboards of your users.
In the next pane, for Grant type, ensure the Authorization Code and Refresh Token checkboxes are selected.
For Sign-in redirect URIs enter the OAuth 2.0 authentication callback URL
https://<sep-coordinator-domain-name>/oauth2/callback
.Click Add URI to add another redirect URI. Enter the following five redirect URIs:
http://localhost:55555/Callback
http://localhost:55556/Callback
http://localhost:55557/Callback
http://localhost:55558/Callback
http://localhost:55559/Callback
For Sign-out redirect URIs, enter
https://<sep-coordinator-domain-name>/ui/insights/redirected_logout
.In the Assignments pane, for Controlled access, select Allow everyone in your organization to access. Select the Enable immediate access with Federation Broker Mode checkbox. Click Save.
In the next pane, in the Client Credentials section, click Edit.
For Client authentication, select Client secret. Then, uncheck the Require PKCE as additional verification checkbox. Click Save.
Save your Client ID and Client Secrets in a text editor for a later step.
Select the Okta API Scopes tab. For Consent, ensure Any is selected.
In the Scope list, find
okta.users.read
. Click Grant.For Consent, select Granted. In the Scope list, confirm that you see
okta.users.read
.You can optionally click the blank logo box and upload a logo or image file to represent the app.
Configure the client#
In the General tab of the Okta Admin Console, click the Client Credentials section and copy the
Client ID
.Set the
http-server.authentication.oauth2.client-id
property in theconfig.properties
file on the coordinator to theClient ID
displayed in the Client Credentials section:
http-server.authentication.oauth2.client-id=<Client ID displayed in Okta Admin Console>
In the General tab of the Okta Admin Console, click the Client Credentials section and copy the
Client secret
.Set the
http-server.authentication.oauth2.client-secret
property in theconfig.properties
file on the coordinator to the Client Secret displayed in the Client Credentials section:
http-server.authentication.oauth2.client-secret=<Client Secret displayed in Okta Admin Console>
In the Okta Admin Console, go to Security > API > Authorization Servers. Choose the authorization server for your application under Name, and copy the
Issuer
URL.Set the
http-server.authentication.oauth2.issuer
property in theconfig.properties
file on the coordinator to theIssuer
URL value:
http-server.authentication.oauth2.issuer=https://example-account.okta.com/oauth2/default
In the Okta Admin UI, copy the Audience and use it to set the
http-server.authentication.oauth2.additional-audiences
property in theconfig.properties
file on the coordinator:
http-server.authentication.oauth2.additional-audiences=<Audience displayed in Okta Admin Console>
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 through Okta, and their values or source of the values:
Property |
Value |
---|---|
|
As copied from Audience displayed in the Okta Admin Console |
|
As copied from Client ID displayed in the Okta Admin Console |
|
As copied from Client Server displayed in the Okta Admin Console |
|
As copied from Issuer displayed in the Okta Admin Console |
|
|
Configure Okta for SCIM synchronization#
To configure Okta for SCIM synchronization, see the SCIM documentation.
Azure Active Directory#
Microsoft Entra ID (formerly Azure Active Directory)#
This section provides specific information for setting up OAuth 2.0 for SEP in Azure. There are several tasks to complete:
Create a Microsoft Entra ID (formerly Azure Active Directory) app integration
Expose the API
Configure the client
Configure passthrough authentication settings (optional)
Configure endpoint properties
The following sections describe the steps to complete these tasks.
Create a Microsoft Entra ID app integration#
Skip this step if you use an existing app registration.
Go to Microsoft Azure Portal > Microsoft Entra ID > App registrations > New registration.
Enter a name, for example
sep-app-01
, and choose Accounts in this organizational directory only (Starburst Data only - Single tenant) from Supported account types. This is needed in a later step.For Redirect URI use Web and the OAuth 2.0 authentication callback URL
https://<sep-coordinator-domain-name>/oauth2/callback
.Click Register.
Update your app registration in the App registrations page of the Azure Portal using the following information:
URIs:
http://localhost:55555/Callback
http://localhost:55556/Callback
http://localhost:55557/Callback
http://localhost:55558/Callback
http://localhost:55559/Callback
Application ID URI:
https://<sep-coordinator-domain-name>.starburstdata.com
Scope name:
StarburstUsers.Read.All
Expose the API#
Use the following steps to expose an API for SEP. For more information, see the Azure documentation.
Expose the Starburst API in the Expose an API page of the Azure Portal using the following information:
Application ID URI:
https://<sep-coordinator-domain-name>.starburstdata.com
Scope name:
StarburstUsers.Read.All
Configure
http-server.authentication.oauth2.scopes
in theconfig.properties
file on the coordinator as a comma-separated list including the scope URL and openid:
http-server.authentication.oauth2.scopes=https://<sep-coordinator-domain-name>.starburstdata.com/StarburstUsers.Read.All,openid
Configure the client#
Once the app integration is added and the API is exposed, the client is configured in the Azure Portal:
Go to Certificates & secrets and select New client secret.
Enter description and set an expiration period.
Copy the value of the secret to and set
http-server.authentication.oauth2.client-secret
in theconfig.properties
file on the coordinator to that value:
http-server.authentication.oauth2.client-secret=<Client Secret displayed in Azure Portal>
Go to API permissions > Add a permission. Do the following, in the order shown:
Select My APIs at the top.
In the list of app registrations, click on the name you entered for your app registration,
sep-app-01
in this example.Check the box for Delegated permissions.
Check the box for the scope you created earlier (for example,
SEPUsers.Read.All
)Click the Add permission button.
Go to Overview > Application (client) ID, and use the content to configure
http-server.authentication.oauth2.client-id
on the coordinator.Set the
http-server.authentication.oauth2.access-token-issuer
property in theconfig.properties
file on the coordinator tohttps://sts.windows.net/<your-tenant-id>/
. The trailing forward slash is a required part of the URL.
http-server.authentication.oauth2.access-token-issuer=https://sts.windows.net/9ac99957-7c90-4d4f-9993-d8a199928c05/
Set the
http-server.authentication.oauth2.principal-field
property in theconfig.properties
file on the coordinator toupn
.
http-server.authentication.oauth2.principal-field=upn
Configure passthrough authentication settings#
Skip this step unless you are implementing passthrough authentication.
To configure Microsoft Entra ID OAuth2 passthrough authentication, click API permissions > Add a permission again, and do the following, in the order shown:
Ensure that Microsoft APIs is selected at the top.
Select Azure Storage from the list of applications.
Check the box for Delegated permissions.
Check the box for user_impersonation.
Click the Add permission button.
In the Authentication section, the following options must be checked as appropriate for your environment:
Access tokens - Used for implicit flows
ID tokens - Used for implicit and hybrid flows
If you are using passthrough authentication, you must set the
http-server.authentication.oauth2.additional-audiences
property in theconfig.properties
file on the coordinator as a comma separated list withhttps://storage.azure.com
and the URL of your SEP coordinator:
http-server.authentication.oauth2.additional-audiences=https://storage.azure.com,https://sep-app-01.example.com
Set the
http-server.authentication.type
in theconfig.properties
file on the coordinator as follows:
http-server.authentication.type=delegated-oauth2
Once the authentication type is set to
delegated-oauth2
, you must change thehttp-server.authentication.oauth2.scopes
configuration property in theconfig.properties
file on the coordinator as follows:
http-server.authentication.oauth2.scopes=https://storage.azure.com/user_impersonation,openid
Note
For delegated-oauth2
you do not set your own scope.
Configure endpoint properties#
Go to Overview > Endpoints.
Navigate to the OpenID Connect metadata document.
Find the
issuer
field and use its value to set thehttp-server.authentication.oauth2.issuer
configuration property in theconfig.properties
file on the coordinator. For example:
http-server.authentication.oauth2.issuer=https://login.microsoftonline.com/9ac99957-7c90-4d4f-9993-d8a199928c05/v2.0
Warning
Microsoft Entra ID does not return access_token_issuer
in OpenID Connect
Metadata document the provider metadata.
Access tokens in JWT format use a different issuer.
Configure the groups field#
The System for Cross-domain Identity Management (SCIM) protocol synchronizes information about users and groups with external providers such as Microsoft Entra ID. For more information about SCIM, see SCIM user and group synchronization.
Note
The Azure group name is not used. The field is populated with the Object IDs of the groups to which the user belongs.
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 through Azure, and their values or source of the the values. Identifiers shown are for purposes of example only.
Property |
Value examples |
---|---|
|
As copied from Overview > Application (client) ID in the Azure Portal |
|
As copied from Certificates & secrets in the Azure Portal |
|
|
|
|
|
|
|
|
|
|
Configure Azure for SCIM synchronization#
To configure Azure AD for SCIM synchronization, see the SCIM documentation.
Active Directory Federation Services#
OAuth 2.0 can be implemented for SEP in organizations using Active Directory Federation services (ADFS). There are two tasks to complete:
Create an ADFS application group
Configure the client
The following sections describe the steps to complete these tasks.
Create an ADFS Application Group#
If you are using an existing ADFS application group you skip this step, referring to it only as a guideline on where to obtain the required information.
Open the ADFS administrative UI.
Choose Application Groups > Add Application Group.
Specify a name for your application group, for example
sep-app-group
, and use the Server application template.Enter the OAuth 2.0 authentication callback URL
https://<sep-coordinator-domain-name>/oauth2/callback
for Redirect URI.Set the
http-server.authentication.oauth2.client-id
property in theconfig.properties
file on the coordinator to the Client ID for the application group displayed in the ADFS Administrative UI:
http-server.authentication.oauth2.client-id=<Client ID displayed in the ADFS administrative UI>
In the ADFS administrative UI, select Configure Application Credentials > Generate a shared secret.
Set the
http-server.authentication.oauth2.client-secret
property in theconfig.properties
file on the coordinator to the Client Secret displayed in the ADFS administrative UI:
http-server.authentication.oauth2.client-secret=<Client Secret displayed in ADFS administrative UI>
Configure the client#
In the ADFS administrative UI, go to Service > Endpoints.
Click OpenID Connect Discovery. Use the metadata to configure
http-server.authentication.oauth2.issuer
in theconfig.properties
file on the coordinator.Set the
http-server.authentication.oauth2.scopes
property in theconfig.properties
file on the coordinator to the following:
http-server.authentication.oauth2.scopes=openid
Set the
http-server.authentication.oauth2.additional-audiences
property in theconfig.properties
file on the coordinator to the following:
http-server.authentication.oauth2.additional-audiences=urn:microsoft:userinfo
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 through ADFS, and their values or source of the values:
Property |
Value |
---|---|
|
|
|
As copied from Client ID displayed in the ADFS Administrative Console |
|
As copied from Client Secret displayed in the ADFS Administrative Console |
|
As copied from the OpenID metadata endpoint |
|
openid |
Keycloak#
This section provides specific information for setting up OAuth 2.0 for SEP using Keycloak.
There are two tasks to complete:
Create application
Configure the client
The following sections describe the steps to complete these tasks.
Create application#
Use your existing realm, for example myrealm
where your Keycloak instance
is configured to run on https://example.com
. The base Keycloak URL to use
with the configuration properties in the this section becomes
https://example.com/auth/realms/myrealm
.
In the Keycloak administrative UI, select your realm, and click Configure > Clients > Create.
Provide a meaningful name for the SEP application in the Client ID field, such as
starburst-sep
.Set the Access Type field to
confidential
.Set the Client Protocol field to
openid-connect
.Click Save, then click Save again.
Open the Credentials tab to view the values for
Client ID
andSecret
needed to configure the client.In the Redirect URIs field, enter the OAuth 2.0 authentication SEP callback URL,
https://<sep-coordinator-domain-name>/oauth2/callback
.
Configure the client#
Set the
http-server.authentication.oauth2.client-id
property in theconfig.properties
file on the coordinator to the Client ID displayed in Keycloak:
http-server.authentication.oauth2.client-id=<Client ID displayed in Keycloak UI>
Set the
http-server.authentication.oauth2.client-secret
property in theconfig.properties
file on the coordinator to the Client Secret displayed in the Keycloak Credentials tab:
http-server.authentication.oauth2.client-secret=<Client Secret displayed in Keycloak UI>
Set the
http-server.authentication.oauth2.issuer
property in theconfig.properties
file on the coordinator to your realm’s base Keycloak URL:
http-server.authentication.oauth2.issuer=<base Keycloak URL for your realm>
Set the
http-server.authentication.oauth2.scopes
property in theconfig.properties
file on the coordinator to the following:
http-server.authentication.oauth2.scopes=openid
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 through Keycloak:
Property |
Value |
---|---|
|
Client ID from Keycloak |
|
Client secret from Keycloak. Note: Only clients with access type set
to |
|
|
|
|
Google Cloud Platform#
This section provides specific information for setting up OAuth 2.0 for SEP in Google cloud Platform (GCP).
There are two tasks to complete:
Create application
Configure the client
The following sections describe the steps to complete these tasks.
Create application#
In Google Cloud Platform open APIs & Services > Credentials.
Click + CREATE CREDENTIALS and OAuth client ID > Web application.
Provide a meaningful name for the SEP application.
In the Authorized redirect URIs, enter the OAuth 2.0 authentication SEP callback URL,
https://<sep-coordinator-domain-name>/oauth2/callback
.
Configure the client#
Set the
http-server.authentication.oauth2.client-id
property in theconfig.properties
file on the coordinator to the Client ID displayed in GCP:
http-server.authentication.oauth2.client-id=<Client ID displayed in GCP UI>
Set the
http-server.authentication.oauth2.client-secret
property in theconfig.properties
file on the coordinator to the Client Secret displayed in GCP:
http-server.authentication.oauth2.client-secret=<Client Secret displayed in GCP UI>
Set the properties on the coordinator in the
config.properties
file:
http-server.authentication.oauth2.issuer=https://accounts.google.com
http-server.authentication.oauth2.principal-field=email
http-server.authentication.oauth2.scopes=openid,https://www.googleapis.com/auth/userinfo.email
http-server.authentication.oauth2.userinfo-url=https://openidconnect.googleapis.com/v1/userinfo
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 on GCP, and their values or source of the values:
Property |
Value |
---|---|
|
oauth2 |
|
As copied from Client ID displayed in the GCP UI |
|
As copied from Client Server displayed in the GCP UI |
|
|
|
|
|
|
|
|
|
|
For more information on Google APIs and OAuth 2.0, refer to Using OAuth 2.0 to Access Google APIs.
PingIdentity#
This section provides specific information for setting up OAuth 2.0 for SEP in PingIdentity (PingID). There are two tasks to complete:
Create an OIDC application
Configure the client
The following sections describe the steps to complete these tasks.
Create an OIDC application#
In PingIdentity, follow these steps:
In the Applications menu, create a new application using the OpenID Connect protocol.
Configure the following on the Configuration tab of the new application:
Grant type: Authorization Code
Redirect URI:
https://<sep-coordinator-domain-name>/oauth2/callback
Collect the Issuer, Client ID, and Client Secret values to be used later in configuration.
In the Attributes tab, create a custom attribute that maps the
sub
attribute to the PingOneUsername
mapping with theopenid
scope.
Configure the client#
Set the
http-server.authentication.oauth2.client-id
property in theconfig.properties
file on the coordinator to the Client ID displayed in PingIdentity:
http-server.authentication.oauth2.client-id=<client ID>
Set the
http-server.authentication.oauth2.client-secret
property in theconfig.properties
file on the coordinator to the Client Secret displayed in PingIdentity:
http-server.authentication.oauth2.client-secret=<client secret>
Set the
http-server.authentication.oauth2.issuer
property in theconfig.properties
file on the coordinator to the Issuer URL displayed in PingIdentity:
http-server.authentication.oauth2.issuer=<issuer URL>
Configuration properties values summary#
The following table describes all configuration properties available to configure SEP with OAuth 2.0 through PingIdentity:
Property |
Value |
---|---|
|
Client ID from PingIdentity |
|
Client secret from PingIdentity |
|
Issuer URL from PingIdentity |
Enable OAuth for Power BI clients#
In order for users to authenticate with OAuth SEP using Microsoft Power BI, you must do the following:
Add the
http-server.authentication.oauth2.public-client-id
property to your SEP coordinator node’sconfig.properties
file, and set its value to the the PKCE client ID as registered in your OAuth provider.Under Manage > Authentication > Mobile and desktop applications, set your OAuth provider’s
redirect_uri
tohttps://oauth.powerbi.com/views/oauthredirect.html
.